Securing Azure DevOps
Security should always be the topmost concern when working with information and data, especially when working in a cloud-based solution, like Azure DevOps.
Microsoft keeps the underlying cloud infrastructure secure, but it’s up to the end-user to configure security in Azure DevOps.
Here’s a quick checklist. 😀
Enable Azure AD authentication from the Organization Security Settings
AAD – Enable Conditional Access and Named location to ensure that MFA is enabled and only required locations can be used to access the DevOps.
Disable Public Projects (A public project allows non-members of a project and users who aren’t signed in read-only, limited access to the project’s artifacts and services. )
Set the project level permissions to Private:
Leverage built-in permissions when possible and limit the access to groups instead of adding users.
In case, when we have a new group or want custom permissions, click on New Group and set the permissions on individual options:
Policies/settings can be managed on the project level or can be managed on the repo level.
For the project level:
Different permissions for users/groups can be controlled using the Setting option and then select group, followed by required permissions:
Branch level policies can be set on project level or on the specific repo, like minimum approval of reviewers for PR:
Additional policies can be set from the same page:
Enable Auditing on Org level:
Enabling Auditing will add a new option under General:
And ensure that only limited groups/users have access to delete the audit logs:
More details on DevOps : Azure DevOps documentation | Microsoft Docs